Thoughts about online security

I work in IT and often have to deal with security issues. Based on that, you’d think I’d have my act together better than average when it comes to personal online accounts. And you’d be right, to a certain extent. I’ve always been more careful than average with account passwords and use MFA (multi-factor authentication) when it’s available. (MFA is when the site sends you a text or email with a code you need to enter to continue, or requires you to get a code from a separate authenticator app.)

But better than average can still be problematic. For example, while I mostly avoided the trap of using the same password everywhere, years ago before password managers were widely available, I followed a formula for determining my password for particular sites. It worked reasonably well, but on one particular site, the formula just happened to produce an easily guessable password.

Using a formula for passwords has a vulnerability similar to using the same password everywhere, in that it can make you reluctant to break the pattern. In the case of this particular site, I reasoned that it had MFA by default, so I was safe. Big mistake. One that burned me a few weeks ago.

It turned out that if the site had ever had MFA on by default, it had been discontinued at some point. It had an MFA option, but not one I knew about or had turned on. So the MFA I was leaning on wasn’t there, and the password was easy to guess. I was probably lucky the account hadn’t been compromised years earlier.

After dealing with the consequences, I decided I needed to clean up my act. I’ve used the randomly generated strong passwords from my password manager for the last few years, but hadn’t gone back and fixed old accounts, something I’ve been correcting for the last few weeks.

The reason I’m mentioning this is statistics show most people are still trying to remember their passwords, and as a result 70% use the same ones on multiple sites, and some (21%) still use the same password everywhere. Statistically that means many of you fall into these groups. If so, I have some recommendations for you to consider.

  1. Use a password manager.
  2. Use the password manager to generate and keep track of strong unique passwords for every site.
  3. Turn on MFA (multi-factor authentication) when it’s available.

Chances are you’re probably already doing 1, using a password manager, since the major browsers have built-in ones. There are also separate more full featured password managers out there. A lot of people I work with swear by LastPass, which to use well now requires a license, but I also know someone happily using Bitwarden, which is free.

Yes, using a password manager does mean that your passwords are now stored somewhere. But all of the good managers encrypt them in such a manner that the people who produce the manager have no access. That doesn’t completely remove the risk, but at this point it’s a risk that is far less than the one incurred by using easily guessable passwords, or the same password on several sites. With the password manager you only have to remember one strong password (ideally backed up by MFA) for accessing the manager itself.

The trick is once you’re doing 1, is to remember to do 2. I largely was doing this through attrition. Every new account I signed up for had a strong randomly generated password. But I had never gotten around to going through all my old accounts. If you’re like me, you have hundreds. Doing them all at once is pretty overwhelming. After being burned, my solution has been to take care of the crucial (mostly money related) ones first, then gradually do a few of the others each day.

When changing passwords, it pays to keep this strong password generator site handy. All of the password managers will take a shot at generating passwords if you let them, but some sites (mostly banking and utility ones in my experience) are persnickety about what they’ll accept, and having the ability to control which characters go into the password can help.

(I’ve also found it a good idea, when dealing with these types of sites, to temporarily hold a copy of your old password in a text editor, in case the site rejects your new password but the password manager saves it anyway. In most cases, you’ll need that old password for subsequent change attempts.)

Strong passwords make your accounts far more secure. But they may not help in cases where the site has a data breach. And data breaches happen all the time, so much that they don’t always receive the coverage they should in the news. Chances are, if you have a lot of accounts, and haven’t changed your passwords in a while, your information is included in a breach. For example, Twitter had one earlier this year.

You can check to see if your accounts are in a known breach on the Have i been pwned site, recommended by a lot of reputable sources. (I have no reason to distrust the site, but I recommend checking your email and passwords in separate incognito browser sessions.) Most of the password managers also have checks in place to warn you when a password has been compromised in a breach, as well as a scanning feature to preemptively check.

Of course, these are the breaches that are known. It’s disturbingly common for breaches to exist for years before they’re discovered. And realistically most of us don’t have the time to stay on top of this.

Which is why 3, turning on MFA everywhere it’s available, is crucial. (Did you know that both WordPress and Twitter have this option?) MFA by itself dramatically reduces the chances of an account getting compromised, since it now requires a hacker to not only guess or acquire the password, but somehow get through the second factor. Just don’t make the mistake I did, and lean too heavily on it. 1 and 2 remain crucial.

At least while the password remains our primary method of authentication. Given all the problems with passwords, there’s a lot of interest in developing passwordless authentication mechanisms. Some services, like Uber (who also had a breach not that long ago), appear to have dispensed with passwords altogether and only support authentication through SMS. This is probably more secure, but I’m not wild about that still being the only authentication mechanism. (Phone numbers can be hijacked via sim card hacking.)

Anyway, I thought I’d share my experience and the painful lessons learned. I know it can seem overwhelming, but trust me, it won’t be nearly as overwhelming as dealing with a compromised account, particularly if money or your identity is involved.

Featured image source

31 thoughts on “Thoughts about online security

    1. Thanks. Hope you find some of it useful.

      The worrisome thing about easy to remember passwords is that they’re often easy to guess. If you haven’t changed them recently, I’d consider checking to make sure they’re not in a known breach.

      Liked by 1 person

        1. I hadn’t heard about Brave before, so can’t say much about it. I don’t know that it would help specifically with the security of your online accounts. It’s value appears to be in preventing companies like Google and others from tracking you, if that’s a concern. It also sounds like it has a built in ad blocker, although there are plugins for that in the other browsers.

          Liked by 1 person

          1. I see what you mean about data stored at sites.
            ‘Brave’ became a big deal (alternative) after Google and Twitter censored many, probably the most notorious (apart from the President!) being Tulsi Gabard after the Democrat Primary debate. I have used it since, and I really like it.

            Liked by 1 person

  1. John Denver songs + symbols + dates of childhood events.
    But, yeah, passwords are a problem. (Embedded needles in laptop finger pads to check my DNA, retinal scans, voice patterns, face-recognition, the movies are rife with alternatives.)
    Bring on the apocalypse.

    Liked by 2 people

    1. In the movies, that kind of thing typically results in the villain chopping someone’s body part off so they can hold it up to the scanner. But I think many of us use fingerprint and facial recognition on various devices these days.

      Liked by 1 person

  2. I think the MFA is critical for any sites where you manage a significant amount of money – banks, brokerage, etc. But it can be a pain for every site.

    I’ve been inconsistent about strong passwords. I will do better. 🙂 The problem with them is sometimes I need the password for the Fire stick or the phone so then I have to return to my main computer, go to the vault, look it up, write it down, and take it back to the other device.

    LastPass sometimes fails to detect the correct user and password for some sites even after it is saved in the vault. It also sometimes wants to save a password when you are actually entering the code for the MFA. If you aren’t careful you could end with the LastPass password out of sync with the site if automatically click Save on the wrong dialog. Maybe the paid version does better. I probably should get the paid version since I’ve probably made more than my fair use of the product. I would recommend LastPass still overall.

    Liked by 1 person

    1. With MFA, most sites only make you do the second factor when logging in on a new device. So with WordPress and Twitter (which generally don’t make you login regularly anyway), once you’re logged in, you’re good, at least until you change your password again.

      On the Firestick issue, I use Roku and have had the same problem. Most Roku apps let you navigate separately on your laptop to the streaming provider’s website, where you can login with your strong password, then enter a code displayed by the app to authenticate. But a few require you to enter the account password on the Roku with the remote, which is painful with a regular password, and maddening with a strong one with lots of special and mixed case characters. It’s hard to avoid weakening the standard in those cases so you have something typeable.

      Thanks for the comments about LastPass. I’ve had the same issues with Chrome’s built in manager, and wondered if it would be any better with LastPass or one of the others. I discovered that I could make Chrome the autofill provider on my phone (replacing Apple’s built in keychain), which allows me to use the stored passwords to login to apps. It also allows me to lookup my passwords on the phone if I have to type one in manually somewhere. From what I’ve read, the paid version of LastPass allows you to do the same thing. I still may eventually do LastPass at some point.

      Liked by 1 person

  3. A valuable reminder! My hesitation with password managers has been the thought of losing all my passwords and account accesses if the link to the relevant server were to go down. What is your take on this?

    Liked by 1 person

    1. I had similar concerns when password managers first started coming out. But all the password managers I’m familiar with sync the passwords down to your local device (in an encrypted form). So if the service went offline, you’d still have access to them on every device you had the password manager installed.

      I also believe they generally allow you to export the passwords and import them into another service. (I know the built in Chrome and Firefox ones do. I’d make sure any other one I was considering had that feature.) You could also just hold on to the exported copy as a backup, although obviously that would be an extremely sensitive file and have to be stored with a lot of caution.

      Liked by 1 person

  4. I personally view security as a nuisance and use only as much of it as required by the site or the company. Not only do I have to remember to pay my bill, but I also need to remember the login and password to the site where to pay my bill. If I don’t remember it, I have to go jump through hoops to reset the password. Then the site would require me to use upper- and lower-case letters, digits, and special characters, and otherwise make sure I won’t remember the password by the time I have to pay the next bill. The simple act of punching a few numbers and hitting “Submit” takes almost as much time as going to the office, waiting in line, and paying cash. Why? What do I risk if someone breaks into my utility account? OMG! They may pay the bill FOR ME! I understand that someone hacking into your account can be unpleasant, but often the risks are severely exaggerated. Requiring MFA for your kid’s account on a free gaming site is overkill.

    Liked by 1 person

    1. I actually have my utilities all set to autopay. Life is too short to worry about whether the gas bill got paid.

      But I take your point about utility accounts. Still, I’d rather not have someone mucking around in there. They might cancel my service. Or figure out a way to get at payment details, or other confidential info the utility company might have on me. And local utility companies don’t always have the best security. If someone can guess your password there, and it’s the same one you use for banking and shopping sites, the consequences might be much worse.

      And I can tell you having an account involving money get hacked is stressful as hell, even if you catch it early. Particularly if the customer service is as useless as the bank I was dealing with.

      One thing about kids. It’s now pretty common for them to be targeted for identity theft, since it’s usually years before they realize what’s happening. And free stuff usually comes with a hidden cost. Just things to consider.

      Liked by 1 person

  5. On the broader topic of online security I would advise most people to freeze their credit. I had to do this myself a few years ago but actually now believe it is good idea for almost everyone. The downside is that you need to unfreeze it if you apply for a loan. The plus side is that if your identity information is stolen it is almost impossible for anyone to use it to apply for credit cards or take out loans using your identity. It also mostly eliminates the unsolicited credit card and loan offers.

    The other thing to consider is a VPN. I do not have one but I am interested in opinions about how worthwhile it would be and to hear recommendations for which one.

    Liked by 1 person

    1. I currently have a fraud alert set on my credit. I thought about freezing it, but one of the service’s web ui was glitching, so I held off. But I might well freeze it before the alert expires. I like the idea of shutting it down until I need it.

      The scary thing about identity theft is they can also open checking accounts in your name, apply for unemployment benefits, file bogus tax returns, or a bunch of other stuff not affected by credit reports.

      I’m curious myself about VPNs. I use them for work all the time to get to firewalled systems, but have never looked into getting one for personal use. They seemed more compelling before SSL was pervasive. They can hide your location, which I’m sure is a benefit for a lot of people, but I wonder what they offer if that isn’t a big concern.

      Liked by 1 person

      1. Not sold totally on a VPN but best I can determine NordVPN might be the way to go if I decide to try it. It seems to have a lot of added features to the basic VPN and has thousands of servers so is regarded as one of the fastest.

        Liked by 1 person

  6. For a long time I used to devote barrels of ingenuity to devising complex yet faurly rememberable (if one knew a formula) password generation schemes which could be applied to various accouts. I still like this approach and eventually graduated to using 2 or 3-phase generator schemes to make it even harder to guess.

    I also woked in IT for many years. The amount of “meta-time” we have had to spend on side issues like customizing OS settings, dealing with security, etc has long ago soured me on the net value of the IT “revolution”. Besides, I await any month or year now hearing about a massive breach of password manager firm data in the news, as hacking techniques evolve.

    Liked by 2 people

    1. I’ve been through the same phases with passwords. I still use a pass phrase with my main work account, with numbers and special characters thrown in. But it’s tough to come up with a memorable phrase that isn’t a title or quote from somewhere. And that work account is MFA’d, as are all my key accounts, so I’m not depending on just the password itself.

      I think the IT revolution (and overall internet revolution) are by far net gains, but they definitely come with costs. Looking up things is far easier than when I was young when you had to do things like go to the library (and deal with the fact that what you’re looking up may be locally censored). I can effortlessly talk with people all over the world, something unimaginable when I was a boy. And I have access to services that would have required a lot more effort and expense several decades ago. But it all comes with the costs, like having to protect it.

      Liked by 1 person

      1. I loved libraries. And bookstores too. Nothing like wandering through he stacks and seeing examples of things on any subject from a time period of over a century ago to the present. I find that kid of browsing far more appealing and less intrusively curated than anything the web can offer, especially something like Amazon. I suppose what I am saying is that one is not always “looking up something”. But yes, many hold your opinion. I just disagree.

        Easily communicating with people all over the earth — yes, wonderful plus.

        Liked by 1 person

        1. I admit I miss the experience of bookstores. Of course they’re still there (at least some are), but it’s not the same. It’s like watching Saturday morning cartoons, a joy of my childhood. In an age where you can watch cartoons anytime you want, the Saturday morning part is pointless. Some things we can never go back to.

          Like

  7. Hadn’t heard of Have I Been Pwned before, but I’m going to add that to my online security routine. Apparently my Words With Friends account was compromised (I haven’t played in years), but otherwise it looks like I’m okay.

    Liked by 1 person

    1. Wow, sounds like you’re in much better shape than I was. When I ran it, about a dozen things came up. All of it was related to old accounts I’d already closed or changed the password on, but still sobering.

      But yeah, those old accounts we forget about can be a risk. Often it’s a minor one like with free gaming stuff. But sometimes those accounts have info in them we’ve forgotten about that can leave us exposed in unexpected ways. I just recently closed an ancient extra Paypal account that I’d utterly forgotten about. It didn’t have any current financial info, but if someone had gotten into it, they still might have caused trouble.

      Liked by 1 person

  8. Online security is not something I think about really, but I’ve been getting weird emails and even text messages lately saying I have a package coming when I know I don’t. (I haven’t clicked on anything.) Anyway, I found your post and comments strangely riveting.

    What do you think of writing passwords down on a piece of physical paper? Is that a bad idea? I am guilty of making up easy to guess passwords (though I do use MFA when it’s available) mainly because, although I want to use those strong password generators, I’m always afraid of getting locked out and not having access to my accounts.

    Liked by 1 person

    1. I get those messages too. They’re basically just phishing, attempts to trick you into revealing details, like your password on a fake login page. Best thing to do is just delete them. (Or if you’re using gmail, report them as phishing. I wouldn’t try to unsubscribe from any of them.)

      Historically security experts recommend against writing passwords down. The danger is someone might find the paper. It’s a real concern; one of my friends once had a problem with his kids using his password to order stuff, which they found on a piece of paper he had hidden away. But that danger seems minor compared to some hacker “out there” getting access to your account. Using a password manager is better, but only if you’re willing to use it.

      Lamentably, the way some sites handle passwords, they make it easy to lock yourself out when changing your password, particularly while using a password manager. It’s easy for the password manager to get confused and overwrite the existing password in storage when the site hasn’t yet accepted the new one. One feature I wish the built in Chrome password manager had was the ability to access previous versions of the password. As it stands, when I go to change a password, I make sure I have a copy of the current one in a text editor (with no associated info on what it pertains to) until I know the new one is in place.

      MFA is probably the best option for most people to harden their accounts. It covers for a lot of sins. Just make sure it’s really there. I actually wish sites would just do away with passwords and have us authenticate with those other mechanisms, maybe using two when logging in on a new device.

      Like

  9. It’s reassuring to hear that you get those messages too. I’m glad I don’t have to do anything more than delete them, because that’s all I’ve done.

    I can’t even tell you how many times I’ve been locked out of accounts due to a password manager remembering the wrong password. It’s usually my fault, actually, but still.

    Like

    1. I don’t think it’s your fault. It’s not even the fault of the password managers (although they could be better), since they only exist due to the problems with the whole password paradigm. The real issue is we pushed an old security mechanism far beyond its original scope. Something originally designed to stop your office colleagues from getting into your stuff is now supposed to hold off world class hackers throughout the world. Passwords really need to be retired as a mechanism. They’ve become an all around security risk.

      Liked by 1 person

Your thoughts?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.